On 10/29/2014 03:19 AM, Сапегин Валерий wrote:
Yes Dmitri, ldapsearch works good:
[root@ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/
ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru
<http://csbi-it-dc01.csbigroup.ru> -D
"cn=ipa-test,cn=users,dc=csbigroup,dc=ru" -w "ttttttttt" -s base -b
"cn=users,dc=csbigroup,dc=ru"
dn: cn=users,dc=csbigroup,dc=ru
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=csbigroup,DC=ru
instanceType: 4
...
...
Ok. Now try to do a windows sync with the dirsrv replication error log
level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting
Then we can take a look at the detailed errors.
С уважением, Сапегин Валерий
2014-10-23 16:19 GMT+04:00 Сапегин Валерий <unit...@gmail.com
<mailto:unit...@gmail.com>>:
Hello!
I tryed to configure synchronization between FreeIPA and Windows
AD 2012. In the thirst time accounts from AD synchronization
properly but next schedule after 5 min is not work and in error
log I see the following errors:
# tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors
[23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin -
agmt="cn=meTocsbi-it-dc01.csbigroup.ru
<http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
Replica has no update vector. It has never been initialized.
[23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin -
agmt="cn=meTocsbi-it-dc01.csbigroup.ru
<http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
Replica has no update vector. It has never been initialized.
[23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin -
agmt="cn=meTocsbi-it-dc01.csbigroup.ru
<http://meTocsbi-it-dc01.csbigroup.ru>" (csbi-it-dc01:389):
Replica has no update vector. It has never been initialized.
Thirst synchronization out
Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to
certificate database for ipa.test-csbi-its.ru
<http://ipa.test-csbi-its.ru>
ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become
ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0
Replica acquired successfully: Incremental update started: start:
0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress, 13 seconds elapsed
[ipa.test-csbi-its.ru <http://ipa.test-csbi-its.ru>] reports:
Update failed! Status: [-1 Total update abortedLDAP error: Can't
contact LDAP server]
Failed to start replication
FreeIPA server version 3.3.3
OS version Centos 7
AD Domain 2012
Can you help me to resolve this problem?
Best regards, Valeriy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
